├── .gitignore └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | # Logs 2 | logs 3 | *.log 4 | npm-debug.log* 5 | yarn-debug.log* 6 | yarn-error.log* 7 | lerna-debug.log* 8 | 9 | # Diagnostic reports (https://nodejs.org/api/report.html) 10 | report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json 11 | 12 | # Runtime data 13 | pids 14 | *.pid 15 | *.seed 16 | *.pid.lock 17 | 18 | # Directory for instrumented libs generated by jscoverage/JSCover 19 | lib-cov 20 | 21 | # Coverage directory used by tools like istanbul 22 | coverage 23 | *.lcov 24 | coverage.json 25 | 26 | # nyc test coverage 27 | .nyc_output 28 | 29 | # Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files) 30 | .grunt 31 | 32 | # Bower dependency directory (https://bower.io/) 33 | bower_components 34 | 35 | # node-waf configuration 36 | .lock-wscript 37 | 38 | # Compiled binary addons (https://nodejs.org/api/addons.html) 39 | build/Release 40 | 41 | # Dependency directories 42 | node_modules/ 43 | jspm_packages/ 44 | 45 | # TypeScript v1 declaration files 46 | typings/ 47 | 48 | # TypeScript cache 49 | *.tsbuildinfo 50 | 51 | # Optional npm cache directory 52 | .npm 53 | 54 | # Optional eslint cache 55 | .eslintcache 56 | 57 | # Microbundle cache 58 | .rpt2_cache/ 59 | .rts2_cache_cjs/ 60 | .rts2_cache_es/ 61 | .rts2_cache_umd/ 62 | 63 | # Optional REPL history 64 | .node_repl_history 65 | 66 | # Output of 'npm pack' 67 | *.tgz 68 | 69 | # Yarn Integrity file 70 | .yarn-integrity 71 | 72 | # dotenv environment variables file 73 | .env 74 | .env.test 75 | 76 | # parcel-bundler cache (https://parceljs.org/) 77 | .cache 78 | 79 | # Next.js build output 80 | .next 81 | 82 | # Nuxt.js build / generate output 83 | .nuxt 84 | dist 85 | 86 | # Gatsby files 87 | .cache/ 88 | # Comment in the public line in if your project uses Gatsby and *not* Next.js 89 | # https://nextjs.org/blog/next-9-1#public-directory-support 90 | # public 91 | 92 | # vuepress build output 93 | .vuepress/dist 94 | 95 | # Serverless directories 96 | .serverless/ 97 | 98 | # FuseBox cache 99 | .fusebox/ 100 | 101 | # DynamoDB Local files 102 | .dynamodb/ 103 | 104 | # TernJS port file 105 | .tern-port 106 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # The LoopFi Bug Bounty is closed for submissions 2 | 3 | # LoopFi Bounty Details 4 | 5 | - Until TVL < $500,000 6 | - Critical: $50,000 7 | - Once TVL > $500,000 8 | - Critical: $100,000 9 | - High severity: $25,000 - $50,000 10 | - Medium severity: $10,000 - $25,000 11 | - [Read our Code4rena bug bounty guidelines for more details](https://docs.code4rena.com/awarding/judging-criteria/bounty-criteria) 12 | 13 | ❗ _Note for participants: The sponsor's repo, scope definition, and contents herein are all subject to change._ 14 | 15 | ## Publicly Known Issues 16 | 17 | - Crafting malicious calldata so that users get less funds as expected when claiming lpETH on LRT deposits (e.g. by setting big slippage/price impact) 18 | - Owner setting malicious lpETH and lpETHVault contracts. Users have 7 days to withdraw in that case. 19 | - Previous audit findings are out of scope. 20 | 21 | All known/disputed/unsatisfactory issues from LoopFi [contest](https://code4rena.com/audits/2024-05-loopfi#top) in C4 and any previous audits. 22 | 23 | 24 | # Project Overview 25 | 26 | Users can lock ETH, WETH and wrapped LRTs into this contract, which will emit events tracked on a backed to calculate their corresponding amount of points. When staking, users can use a referral code encoded as `bytes32` that will give the referral extra points. 27 | 28 | When Loop contracts are launched, the owner of the contract can call only once `setLoopAddresses` to set the `lpETH` contract as well as the staking vault for this token. This activation date is stored at `loopActivation`. 29 | 30 | Once these addresses are set, all deposits are paused and users have `7 days` to withdraw their tokens in case they changed their mind, or they detected a malicious contract being set. On withdrawal, users loose all their points. 31 | 32 | After these `7 days` the owner can call `convertAllETH`, that converts all ETH in the contract for `lpETH`. This conversion has the timestamp `startClaimDate`. The conversion for LRTs happens on each claim by using 0x API. This is triggered by each user. 33 | 34 | After the global ETH conversion, users can start claiming their `lpETH` or claiming and staking them in a vault for extra rewards. The amount of `lpETH` they receive is proportional to their locked ETH amount or the amount given by the conversion by 0x API. The minimum amount to receive is determined offchain and controlled by a slippage parameter in the frontend dApp. 35 | 36 | For more information about LoopFi, please visit https://www.loopfi.xyz/. 37 | 38 | 39 | ## Links 40 | 41 | - **Previous audits:** [Audit Reports](https://docs.loopfi.xyz/extras/security) 42 | - **Documentation:** 43 | - [Loopfi introduction](https://docs.loopfi.xyz/) 44 | - **Codebase:** 45 | - [Contracts](https://github.com/loopfi-io/loopfi-contracts.) 46 | - **Website:** https://www.loopfi.xyz/ 47 | - **Twitter:** [@loopfixyz](https://x.com/loopfixyz) 48 | - **Discord:** https://discord.gg/mVqf2Q5Whg 49 | 50 | 51 | # Scope 52 | 53 | | Contract | SLOC | Purpose | Libraries used | 54 | | ----------- | ----------- | ----------- | ----------- | 55 | | [PrelaunchPoints.sol](https://github.com/LoopFi/loop-prelaunch-contracts/blob/main/src/PrelaunchPoints.sol) | 135 | Users can stake ETH into this contract, which will emit events tracked on a backed to calculate their corresponding amount of points. When staking, users can use a referral code encoded as bytes32 that will give the referral extra points. | [`@openzeppelin/*`](https://openzeppelin.com/contracts/) | 56 | 57 | # Additional context 58 | 59 | ## Main invariants 60 | 61 | - Only the owner can set new accepted LRTs, change mode to emergency mode on failure of 0x integration, and set a new owner 62 | - Deposits are active up to the lpETH contract and lpETHVault contract are set 63 | - Withdrawals are only active on emergency mode or during 7 days after loopActivation is set 64 | - Users that deposit ETH/WETH get the correct amount of lpETH on claim (1 to 1 conversion) 65 | - Users that deposit LRTs get the correct amount assuming a favorable swap to ETH 66 | 67 | 68 | ## Attack ideas (where to focus for bugs) 69 | - Malicious 0x protocol calldata crafting by users to steal funds on claim 70 | - User funds getting locked forever 71 | 72 | ## All trusted roles in the protocol 73 | 74 | 75 | | Role | Description | 76 | | --------------------------------------- | ---------------------------- | 77 | | Owner | Has access to privileged functions, contract owner | 78 | 79 | ## Miscellaneous 80 | 81 | Employees of LoopFi and employees' family members are ineligible to participate in this bounty. 82 | --------------------------------------------------------------------------------